CVE-2024-38790
📋 TL;DR
This CSRF vulnerability in the Smartsupp WordPress plugin allows attackers to trick authenticated administrators into performing unintended actions. It affects all WordPress sites using Smartsupp plugin versions up to 3.6.
💻 Affected Systems
- Smartsupp – live chat, chatbots, AI and lead generation WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could change plugin settings, modify chat configurations, or potentially inject malicious code into the live chat system affecting all site visitors.
Likely Case
Attackers modify chat widget settings, change chatbot behavior, or alter lead generation forms to capture sensitive user data.
If Mitigated
With proper CSRF protections, requests would be rejected unless they include valid anti-CSRF tokens, preventing unauthorized actions.
🎯 Exploit Status
CSRF attacks are well-understood and easy to weaponize once the vulnerable endpoints are identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 3.7 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find Smartsupp plugin. 4. Click 'Update Now' if available. 5. If no update shows, download version 3.7+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the Smartsupp plugin until patched
wp plugin deactivate smartsupp-live-chat
CSRF Protection via .htaccess
linuxAdd CSRF protection headers at web server level
Header set X-Frame-Options "SAMEORIGIN"
Header set Content-Security-Policy "frame-ancestors 'self'"
🧯 If You Can't Patch
- Implement strict SameSite cookie policies for WordPress admin sessions
- Use browser extensions that block CSRF attempts or enforce additional authentication for sensitive actions
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Smartsupp version. If version is 3.6 or lower, you are vulnerable.Check Version:
wp plugin get smartsupp-live-chat --field=versionVerify Fix Applied:
After updating, verify version shows 3.7 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /wp-admin/admin.php?page=smartsupp from same IP with different user agents
- Unexpected changes to smartsupp settings in database
Network Indicators:
- POST requests to Smartsupp admin endpoints without Referer headers or with external Referers
SIEM Query:
source="wordpress.log" AND "admin.php?page=smartsupp" AND status=200 AND NOT referer="*wp-admin*"